Introduction

The General Data Protection Regulation (GDPR) regulates the processing of data relating to individuals. This includes the obtaining, holding, using or disclosing of data digital records.

Visit Southend shall hold the necessary data in order to perform its functions. All data held is confidential and treated with care in order to comply with the law. Lawful and correct treatment is very important to maintaining user confidence. Any data collected, recorded or used on paper, digitally or via other media platforms shall be done so fairly, will be stored safely, safeguarded and not disclosed to others unlawfully to comply with the GDPR.

Review business changes and determine whether registration under the GDPR is required

Data Acquisition

Any staff members acquiring data in any way are responsible for:

Vetting – ensure compliancy

Any data acquired for marketing purposes (email lists, phone numbers, addresses etc.) must be acquired through legal methods or from reputable suppliers. Individuals must have opted to receive marketing message

Any purchased or rented data must be checked to ensure no individual on the list has opted out

Before data purchase or rental, Proof of Provenance must be acquired. This document clearly states data’s origin, how it has been used, moved and/or altered

If the supplier cannot or will not supply an adequate Proof of Provenance, the services CANNOT be used

Data will, more often than not, be acquired from the source, not a supplier. This means information is less likely to be corrupted, out of date or exposed

However, use of supplier will not be an excuse to make a complaint about Visit Southend and is protected from penalties. They MUST be International Organization for Standardization (ISO) or Direct Marketing Association (DMA) certified

Any data acquired by Visit Southend or a third-party supplier that individuals have not opted into cannot be used and could potentially put Visit Southend at risk of penalties from the ICO.

Data Classification

Staff members who regularly deal with personal data and store and transfer it are responsible for assessing its importance, sensitivity and classification. Recipients must be aware of the precautions.

Data Transference

When transferring data within Visit Southend or externally between yourself and other individuals, ensure that:

Recipient(s) are authorised to receive. Confidential information must not be shared with unauthorised persons in any way. Doing so may lead to disciplinary action

All reasonable steps have been taken to ensure safe transfer and use an SSH File Transfer Protocol (SFTP) and sending data by email should be avoided where possible

Sender(s) must log the date, time, recipient, filename, format, method of transfer and classification of the data and should enable a read-receipt. They must ask recipients external to Visit Southend for acknowledgement of receipt and its time

Recipients should also log the date, time, sender, filename and type of data

Data transfers should include details of size, layouts and amount to the recipient to provide the appropriate time to work with the files and ensure a speedier process. This should also be requested from senders external to Visit Southend

The data is to be checked against the sender’s documentation as soon as possible to ensure that the sent files are correct

Data should not be transferred outside the European Union. If it MUST be, A Company Director needs to sign off

If this is the case, ensure the following takes place:

Information is depersonalised if it can be

File(s) are encrypted and strong password protected

Passwords are sent separately

Emails should be removed from the appropriate mailboxes and folders, including the trash immediately

Data Storage

It is the employee’s responsibility to ensure that all data is stored correctly. Visit Southend will provide secure storage for data - archiving for electronic data (plus regular backups and cleansing) and lockable cabinets for hard copies. All devices shall be encrypted and protected with strong passwords.

Employees must ensure that personal information which they have access to is:

Stored securely and only local for the required and appropriate time

Encrypted and strong password protected

Removed from any device, cloud storage platforms or company-controlled areas

Removed from secure data – regular checks must take place

All hard copies (e.g. personnel information and financial statements) must be kept in a secure storage and stored away when not in use. Management and the marketing team are only to have access to this

Any breach of this may lead to disciplinary action

Breach Procedure

In the event of a data breach (loss, theft of the data itself or storage device or security breach), employees must inform management immediately to then inform Directors. The nominated members will assess the severity in order to respond correctly.

If Visit Southend users have had their data compromised by an employee or third party, they shall be informed by management immediately by telephone if possible and if not, by email. If it is found that the breach was due to), disciplinary or criminal action may be taken.

Personnel records

One of the data drotection rules states that it gives individuals the right to see certain information held - a fee will be at Visit Southend’s discretion. However, there could be a very rare occurrence where information may not be disclosed. For example, if there a document also contains personal information about another individual.

If an employee wishes to view their records, they must ask management.

Keeping your information up to date

Please help us to keep your information up to date and let us know if there are any changes to name, address, home telephone number, next of kin or emergency contact and their details and anything (medical or otherwise) required in an emergency.

Viewing your personnel record

Personal and salary records are confidential and so access to those is restricted. Under the GDPR and employment law, Visit Southend is entitled to access certain records. Any request to view personal records should be made management.

There is a minimum notice period of ten working days to request to view either of these details. Files must be available as soon as possible following the notice period and, in any event, within 21 days, can only be viewed at Southend BID, Pier Offices, Western Esplanade, Southend-on-Sea SS1 1EE and must not be taken from this address.

Information that may NOT be viewed by employees

Employees may not view confidential employment references or personal data processed for the purposes of management forecasting and planning.

In addition, personal data contained within personnel files, including that where a third party can be identified, must not be viewed.

The only exceptions are:

If the third party has consented to disclosure of information to the individual making the request

Health records – if the third party is a health professional and has complied or contributed to said record

If it is reasonable in all circumstances to comply with the request without the consent of the third party

Personal data will be used in connection with any aspect of the individual's employment and for no other purpose. To disclose of this to a third party without prior authorisation, may be seen as a disciplinary offence.